[MrAwesome]

Several years ago, when I worked at FB, I ran into a similar bug on an early internal version of a Messenger rewrite. Sent pictures to one chat, showed up in another.

My bug report on it kicked off an absolute maelstrom of dev activity and investigation. High level engineers showed up in the comments. Lots of immediate followup. The severity was clearly understood and resolving it was clearly prioritized.

I exclusively use Signal now, but the discrepancy between what I see here and what I saw there is pretty disheartening. This kind of bug is not only a massive privacy risk, but it also massively erodes user confidence and trust.

[rococode]

They've just posted an update saying that the issue was fixed on July 21. It's certainly good that it's fixed...

But that's still over 7 months before it was fixed, including a 2 month period where people were still bumping the issue asking for help with no response from maintainers (afterwards, the issue went quiet until ~2 weeks ago). And there was at least one other issue on the same problem a few months later that received no response [1].

I understand the team is probably understaffed given the vast number of open issues (1300+) they have, many with no response, and I can sympathize with the challenges of being a small team developing an app used by millions, but they probably need to figure out a better way to triage...

[1] https://github.com/signalapp/Signal-Android/issues/11137

[spullara]

It was fixed a long time and only closed recently, see the message from the dev.

[rococode]

No, the dev writes on GitHub that "this issue was fixed in 5.17 (which hit 100% production on 7/21)". Releases show 5.17.0 was released on July 15. They've also linked the commits that fix the bug - the fixes were committed 10 days ago.

[godelski]

I don't think Signal has many devs[0] and if you look at the contributors[1] you can see that Grayson is pretty much the only dev for the Android app. So seeing a second dev get involved is probably them freaking out.

[0] Personally I believe this is a big bump in the road for Signal and is why a lot of people are frustrated. About promises about things like usernames (it is no longer early 2021), channels, and everything else. A few devs can only do so much. A dozen (maybe 2 dozen?) devs can still only do so much. How do you compete with other platforms like Telegram that has hundreds of employees or WhatsApp with far more than that?

[1] https://github.com/signalapp/Signal-Android/graphs/contribut...

[dunefox]

I mean, they invested a year into covert development of a crypto wallet inside Signal. Maybe that time could have been spent better.

[godelski]

From the commits I only really saw Moxie adding this and he hasn't been doing as much dev work in the last few years. So I don't feel that this took much away. It's hard to tell if it is a good move or not since Telegram and WA are both adding payments to their platforms and there is a need for feature parity. But regardless, MOB probably wasn't a good fit and we've seen no update since.

My complaint is more than Signal moves far too slow. I'm not saying to move fast and break things, that's far from what I want. But I am saying maybe add a few more devs.

[dunefox]

> But I am saying maybe add a few more devs.

Absolutely, then such an important issue probably wouldn't stay open for this long.

[aadjklskljads]

No, Signal does not get to play the limited resources card when they so firmly discourage 3rd parties from working on their project.

[maqp]

No, contrary to common belief, coordinating with multiple client projects to release features simultaneously etc, is not easier. The number of meetings does not drop, the quality will not improve if you now have to check that multiple clients are safe. You won't magically get more eyes on your code, when people are working on their code, not yours. And at that point you now have to deal with people who think they have as much say as you have because their fork is "equally important". And trying to explain to a non-cryptographer hobbyist why some change needs to be done, or why some feature can/should not be implemented, is not speeding things up.

[LurkersWillLurk]

Could you explain what Signal is doing to discourage contributions?

[afroboy]

By not allowing 3rd parties apps to coexist with official signal app. (Using same servers)

[growse]

Signal placing restrictions on who can use their service has nothing to do with whether or not people can contribute to the codebase.

[hjek]

It does. There is less incentive to work on a Signal client fork if it can't be used to interoperate with the Signal service.

[RedComet]

Nor when they've received millions in grant money.

[baby]

Not true

[woxko]

Bug report is eight months old now. I don't think they're freaking out much.

[godelski]

But the issue is fixed. Forgetting to close a bug report is different than not fixing the bug

[jeroenhd]

True, but the issue was fixed in 5.17, which was released only 10 days ago [1]. For an issue opened December last year, that's still quite a lot of time before a fix could be found.

[1] https://github.com/signalapp/Signal-Android/commit/a47448b6c...

[croes]

Try fixing a rare bug quicker without constant user metrics.

[Arnt]

Yes, indeed.

This kind of bug is an argument for having metrics.

[ergocoder]

If this is the case, then we should just say:

Signal is not secure because they have limited resource and cannot invest in an area with Security adequately.

[askvictor]

Or perhaps we drop the pretence of anything being absolute ('secure' vs 'not secure') and have a more honest discussion about the different threats and where different products do better or worse? I'm sure Whatsapp is much better in being able to resource their security measures, yet being owned by Facebook, and being closed-source diminishes their security in other ways.

[baby]

I personally trust whatsapp, great product

[rplnt]

This happens to me all the time in Messenger. Just locally though. Like if I sent an image and delete it from the phone, the app shows some other random image instead.

[Moru]

The bug seems to reuse images already present on your device, not send new images to other users.

[swiley]

The older software probably spoke xmpp which meant people could just leave when it misbehaved. Signal has been against this from the beginning, it's against the ToS and the owner has asked devs of alternative clients to stop developing them.

No "apps" are ever good.